Fix Claude Code Failed to Authenticate
The “failed to authenticate” error in Claude Code means your credentials are missing, expired, or misconfigured. This guide walks through every authentication method Claude Code supports and shows you exactly how to fix each failure mode, from expired OAuth tokens to incorrectly set API keys.
The Problem
You launch Claude Code or run a command, and it immediately returns a “failed to authenticate” error. This blocks all AI-assisted work. The error can appear after system updates, token expiration, environment variable changes, or when switching between authentication methods like API keys and OAuth.
Quick Solution
- Check which authentication method you are using:
claude config list
- If using an API key, verify it is set correctly:
echo $ANTHROPIC_API_KEY
- If the key is missing or empty, set it:
export ANTHROPIC_API_KEY="sk-ant-your-key-here"
- If using OAuth (Claude Max subscription), re-authenticate:
claude auth login
- Test the connection:
claude "hello"
How It Works
Claude Code supports multiple authentication paths. The most common is the ANTHROPIC_API_KEY environment variable, which sends your key directly with each API request. When this variable is unset, empty, or contains an invalid key, authentication fails immediately.
OAuth-based authentication through claude auth login stores tokens in ~/.claude/. These tokens expire periodically and must be refreshed. If the refresh token itself expires or becomes corrupted, you see the authentication error.
For enterprise setups using Amazon Bedrock or Google Vertex AI, authentication flows through AWS IAM or GCP service accounts respectively. The CLAUDE_CODE_USE_BEDROCK=1 or CLAUDE_CODE_USE_VERTEX=1 environment variables switch Claude Code to these providers, each with their own credential chain.
CLAUDE.md files do not affect authentication directly, but a misconfigured environment section in your project setup could override the API key variable with an empty value.
Common Issues
Token expired after sleep or restart. OAuth tokens have a limited lifetime. Run claude auth login again. To prevent this, add export ANTHROPIC_API_KEY=... to your shell profile (~/.zshrc or ~/.bashrc) so it persists across sessions.
Wrong API key format. Anthropic API keys start with sk-ant-. If your key does not match this format, you may be using a key from a different provider. Double-check the Anthropic Console at console.anthropic.com.
Environment variable overridden by dotenv. If your project uses .env files with tools like dotenv, an empty ANTHROPIC_API_KEY= line will override your shell export. Check all .env files in your project hierarchy.
Example CLAUDE.md Section
# Authentication Setup
## Environment Requirements
- ANTHROPIC_API_KEY must be set before launching Claude Code
- Do NOT store API keys in this file or any committed file
- Use .env.local (gitignored) for local development keys
## Rules
- Never echo or log the API key value
- If authentication fails, check ~/.claude/ for corrupted tokens
- For CI/CD, use repository secrets, not hardcoded keys
## Troubleshooting Auth
- Run: claude config list
- Run: claude auth status
- Check: echo $ANTHROPIC_API_KEY | head -c 10
- Re-auth: claude auth login
Best Practices
- Store your API key in your shell profile (
~/.zshrcor~/.bashrc) so it survives terminal restarts and system reboots. - Never commit API keys to version control. Use
.env.localfiles that are listed in.gitignore. - Use separate keys for development and production to isolate rate limits and track usage independently.
- Set up a pre-commit hook that scans for accidentally committed secrets using tools like
gitleaksortrufflehog. - For team environments, use OAuth rather than shared API keys so each developer has their own authentication context.
Related Reading
- Anthropic API Error 429 Rate Limit
- Claude Code MCP Server Setup
- Best Way to Integrate Claude Code into Team Workflow
Built by theluckystrike. More at zovo.one